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Abstract 


Church-Turing computability was extended by Brouwer who con- 
sidered non-lawlike computability in the form of free choice se- 
quences. Those are essentially unbounded sequences whose ele- 
ments are chosen freely, i.e. not subject to any law. In this work 
we develop a new type theory BITT, which is an extension of the 
type theory of the Nuprl proof assistant, that embeds the notion 
of choice sequences. Supporting the evolving, non-deterministic 
nature of these objects required major modifications to the under- 
lying type theory. Even though the construction of a choice se- 
quence is non-deterministic, once certain choices were made, they 
must remain consistent. To ensure this, BITT uses the underly- 
ing library as state and store choices as they are created. Another 
salient feature of BITT is that it uses a Beth-like semantics to ac- 
count for the dynamic nature of choice sequences. We formally 
define BITT and use it to interpret and validate essential axioms 
governing choice sequences. These results provide a foundation 
for a fully intuitionistic version of Nuprl. 
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1 Introduction 


Brouwer’s broader notion of computability extends that of Church- 
Turing by the inclusion of non-lawlike computability based on free 
choice sequences. Those are fundamental objects introduced by 
Brouwer [10] that lay at the heart of intuitionistic mathematics. 
They are there described as “new mathematical entities...in the 
form of infinitely proceeding sequences, whose terms are chosen 


more or less freely from mathematical entities previously acquired”. 


The first key feature of free choice sequences is the fact that they 
are infinitely proceeding. This is a non-platonic approach in which 
a free choice sequence comes into existence by a never ending pro- 
cess of picking elements from a previously well-defined collection, 
e.g. natural numbers. Therefore, a free choice sequence is never 
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fully completed and can always be extended. The second compo- 
nent of free choice sequences is that the choices are made freely, 
that is, not governed by any law. 

In this work we show that the constructive type theory imple- 
mented by the Nuprl proof assistant [15; 4] can be consistently 
extended to an intuitionistic type theory that supports Brouwer’s 
broader sense of computability through the embedding of free choice 
sequences. Since the concept of non-lawlike computations, as well 
as the notion of spreads, Bar Induction, and the Continuity Princi- 
ple, are the salient consequences of Brouwer’s intuitions [11; 12], 
we call this new extended type theory BITT.' BITT then paves the 
way for turning Nuprl into a fully intuitionistic proof assistant. 

The theory governing free choice sequences has been widely 
studied, but the various works on the subject take different inter- 
pretations of the basic notions.” This results in a variety of in- 
terpretations of free choice sequences (e.g., [26; 7; 43; 42; 30; 47; 
35]). In this paper we aim to create a completely formal account of 
choice sequences, driven by the design constraints of their imple- 
mentation in a theorem prover. That is, we offer an account that 
captures fundamental notions concerning free choice sequences, 
while being suitable for implementation. 

In [39] the assumption of existence of choice sequences was ex- 
ploited to establish Bar Induction, a key intuitionistic principle, in 
Nuprl. However, choice sequences were there used only as an in- 
strumental tool in the metatheory, not embedded into the theory 
itself. Choice sequences were generated using Coq functions, in- 
cluding such that use non-computable axioms. As noted in [39]: 
“choice sequences do not have to be—and are not—part of the syn- 
tax of Nuprl definitions and proofs, i.e., the syntax visible to users”. 
This approach had some undesired consequences. Mainly, it made 
Nuprl’s syntax infinitary, which in turn had the side effect that 
many properties, such as syntactic equality or a-equality, became 
undecidable (in the metatheoretical syntax of Nuprl). 

In this work we remedy this situation by implementing the con- 
cept of choice sequences in the theory itself as finite, unbounded 
sequences, as opposed to infinite sequences in [39]. The formal- 
ization presented here resolves both aforementioned issues. It in- 
corporates choice sequences into the user syntax, while keeping 
it finitary, which entails that properties such as syntactic equality 
and a@-equality remain decidable. One of our long-term goals for 
the implementation is to allow the derivation of the key Bar Induc- 
tion and Continuity principles, which have been widely studied in 
the literature (e.g., [26; 30; 44; 47; 7; 41; 25; 22]) but only recen- 
tely in the context of a mechanized proof assistant [38; 39]. This 


1The term “intuitionistic type theory” had already been used by Per Martin-Lof [33; 
36]. However, those type theories do not include Brouwer’s fundamental idea of non- 
lawlike computation. 

21n the literature free choice sequences are sometimes called “lawless sequences” [35]. 
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presents an implementation challenge, as the two principles corre- 
spond to different properties of choice sequences. Bar Induction 
requires the existence of some form of non-recursive functions, i.e. 
free choice sequences. Continuity, on the other hand, entails a re- 
striction on the behavior of all non-recursive functions, i.e. it puts 
a constraint on the topological space they induce.’ Accordingly, 
our work is to carefully craft the design constraints of the theory 
of free choice sequences, balancing these two properties. 

Implementing choice sequences entails incorporating certain non- 
deterministic features into BITT, as well as developing ways to 
handle them. One way to think about non-determinism is as a 
process that even for the same input, can exhibit different behav- 
iors. The form of non-determinism required for reasoning in the 
presence of choice sequences is slightly different. While the pro- 
cess of picking the values of a choice sequence is non-deterministic, 
once certain values were chosen, they must remain unchanged. To 
capture that we rely on the digital library of facts and definitions 
underlying Nuprl to act as state, and store in it our already cho- 
sen values of the choice sequence. This required BITT to extend 
Nuprl’s computation system, as is presented in Sec. 3. 

To support this evolving nature of choice sequences, and thus li- 
braries, the semantics of BITT also extends that of Nuprl. In BITT 
we invoke a Beth-style semantics [48; 21; 20, Sec.5.4], in which the 
possible worlds correspond to extensions of the library. Under this 
Beth model, types are interpreted as partial equivalence relations 
(PERs) on closed terms that need only exist in bars of the current 
library, i.e, collections of libraries covering all possible extensions 
of the current library (see Sec. 4). A Beth model is especially well- 
suited to model choice sequences because there expressions only 
need to “eventually” compute to values, which is compatible with 
the “eventual” nature of choice sequences that are only partially 
given at a given time, with the promise that they can always be 
extended in the future. We show that the resulting type system 
satisfies the standard properties of a type systems (such as tran- 
sitivity and symmetry), as well as properties which are unique to 
possible-world semantics, such as monotonicity and locality. 

After establishing the well-formedness of the resulting type sys- 
tem, we demonstrate its adequacy for the theory of choice sequences. 
We do so by validating inference rules governing choice sequences 
(see Sec. 6). The entire development and results presented in this 
paper have been fully formalized in Coq, and in the sequel we pro- 
vide pointers to the Coq formalization in the appropriate places. 

Exploring Brouwer’s wider notion of computability in a formal 
setting has, in our opinion, the potential to provide a broader and 
deeper foundational theory for computer science. Nevertheless, 
the integration of choice sequences into a mechanized proof as- 
sistants is not only important from a foundational standpoint, but 
also seem to offer interesting consequences and possible practical 
applications. For instance , we believe that this formalization can 
be used to model complex systems. Computable functions could be 
used to model the processes of a distributed system, while the free 
choice sequences could be used to model sensors (or uncontrolled, 
unpredictable inputs from the environment). 


Outline. The rest of the paper is organized as follows: Sec. 2 pro- 
vides essential background on key features of Nuprl’s type the- 
ory. Sec. 3 describes the integration of choice sequences into BITT, 


3Note that full Bar Induction (i.e., where the bar is not constrained to be decidable or 
monotone) contradicts the Continuity Principle [26, Sec.7.14,Lem.* 27.23]. 
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mainly the use of the underlying library. Sec. 4 provides a de- 
tailed account of how the semantics of Nuprl has been modified 
into a Beth-like one in BITT. This includes the formal treatment of 
bars, proving preservation of salient properties of the type system, 
as well as new properties that are distinctive to the new seman- 
tics. Sec. 5 describes the extension of the function type N — N, 
which previously contained only computable functions, by choice 
sequences of numbers. Sec. 6 discusses the axioms of choice se- 
quences in BITT. Finally, Sec. 7 concludes. 


2 Background 


Nuprl implements a dependent type theory called Constructive 
Type Theory (CTT). This section presents some key aspects of CTT. 


Computation system. Nuprl’s programming language is an un- 
typed (a la Curry), lazy A-calculus with pairs, injections, a fixpoint 
operator, etc. For efficiency, integers are primitive and Nuprl pro- 
vides operations on integers as well as comparison operators. 

Fig. 1 presents a subset of Nuprl’s syntax and small-step oper- 
ational semantics. We only show in it the part that is either men- 
tioned or used in this paper. A term is either (1) a variable; (2) a 
canonical form, i.e., a value or an exception (see [38]); or (3) a non- 
canonical term. A non-canonical term t has one or two principal 
arguments—marked using boxes in Fig. 1—which are terms that 
have to be evaluated to canonical forms before t can be reduced 
further. For example, the application f a, often written as f(a), di- 
verges if f diverges. In Fig. 1 we omit rules that reduce principal 
arguments such as: if tı +> tz then tı ub tz u. 

We use the following abstractions in the sequel: = fix(Ax.x), 
tt = inl(x), and ff = inr(x). Also, we write a =r b for the type 
a = b e€ T, Àx1,...,Xn.t for Ax,....Axn.t, and ti — te for the 
non-dependent product type (i.e. the function type).’ 


Type system. Nuprl’s types are interpreted as partial equivalence 
relations (PERs) on closed terms [2; 3; 18]. The PER semantics can 
be seen as an inductive-recursive definition of: (1) an inductive re- 
lation T;=T2 that expresses type equality; (2) a recursive function 
a=beT that expresses equality in a type. For example, one case in 
the definition of T;=T2 states that (i) T} computes to Vx; : A1. By; 
(ii) Tz computes to Vx2 : A2. B2; (iii) A1=Az2; and (iv) for all closed 
terms t1, t2 such that t)=t2€A1, B1ı[x1\t1]=B2[x2\t2]. We say that 
a term t inhabits or realizes a type T if t is equal to itself in the 
PER interpretation of T, i.e., t=teT. It follows from the PER inter- 
pretation of types that an equality type of the form a = b € T is 
true (i.e. inhabited) iff a=b€T holds. [5; 37]. Note that an equality 
type can only be inhabited by the constant x, i.e., they do not have 
computational content, unlike in Homotopy type theory [46]. 


Computational equivalence relation. Nuprl is closed under 
Howe’s computational equivalence ~, which was proven to be a 
congruence [24]. In general, computing and reasoning about com- 
putation in Nuprl involves reasoning about Howe’s computational 
equivalence relation. It is commonly used to reduce expressions 
by proving that terms are computationally equivalent and using 
the fact that ~ is a congruence. For that, Nuprl provides the type 
ty & tz, which is the theoretical counterpart of the metatheoretical 
relation tı ~ t2. To reason about any term in the computation sys- 
tem, Nuprl provides the Base type, which is the type of all closed 
terms of the computation system with ~ as its equality. 


4Note that BITT and its metatheory share similar connectors. For readability, we 
often omit type information in quantifiers for the metatheoretical ones. 
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Figure 1 Syntax (top) and operational semantics (bottom) of a subset of Nuprl 


v € Value := vt (type) | inl(t) (left injection) | * (axiom) | (ti, t2) (pair) 
| Ax.t (lambda) | inr(t) (right injection) |i (integer) 
vt € Type := Z (integer type) | Vx: tı. t2 (product) | ti =t€¢Łt (equality) | {x: tı | t2} (set) 
Base (base) | ax: tı. t2 (sum) | ti+t2 (disjoint union) | t1//t2 (quotient) 
U; (universe) | tSt (bisimulation) 
t € Term ::= x (variable) | let x := [t] in tz (call-by-value) | case [ti] of inl(x) > tz | inr(y) = t; (decide) 
|v (value) | let x, y=[h]int (spread) | iflam([t}, tz, t3) (lambda test) 
| [ti] t2 (application) | fix([t) (fixpoint) 
(Ax.F) a œ> Flx\al fix(v) KH v fix(v) 
let x:=vint =œ t[x\v] iflam(Ax.t, t,t) => t 
let x, y= (t, t2) inF = Flx\t:y\b] iflam(v, ty, t2) bf, if vis not a A-term 


case inl(t) of inl(x) >F | inr(y) => G = F[x\t] 


case inr(t) of inl(x) >F | inr(y) => G |> G[y\t] 


Squashing. Nuprl has a squashing mechanism, which we use in 
Sec. 6. It throws away the evidence that a type is inhabited and 
squashes it down to a single inhabitant using set types [15, pp.60]: 
{T = {Unit | T}. The only member of this type is the constant 
x, which is Unit’s single inhabitant, and which is similar to () in 
languages such as OCaml, Haskell or SML. The constant * inhabits 
IT if T is true/inhabited, but we do not keep the proof that it is true. 
See [38] for more details on squashing. 


Sequents and rules. Sequents are of the form h1, ..., hn + T [ext t]. 


The term t is a member of the type T, which in this context is called 
the extract or evidence of T. Extracts are programs that are com- 
puted by the system once a proof is complete. We will sometimes 
omit proof extracts when they are irrelevant to the discussion. An 
hypothesis h is of the form x : A, where the variable x is referred 
to as the name of the hypothesis and A its type. Such a sequent 
states, among other things, that T is a type and t is a member of 
T. A rule is a pair of a conclusion sequent S and a list of premise 
sequents, S1, ++ , Sn, which we write as: 
Sy wan Sa 
S 


Several equivalent definitions for the validity of sequents appear 
in the Nuprl literature [15; 18; 27; 5]. Since our results are invariant 
to the specific semantics, we do not repeat them here. The sequent 
semantics standardly induces the notion of validity of a rule, i.e., 
the validity of the premises entails the validity of the conclusion. 


Coq formalization. Recently, CTT has been formalized in Cog [5; 
37; 38]. The implementation includes: (1) Nuprl’s computation sys- 
tem; (2) Howe’s computational equivalence relation, and a proof 
that it is a congruence; (3) a definition of the PER semantics of 
CTT; (4) definitions of Nuprl’s derivation rules, and their sound- 
ness proofs w.r.t. the PER semantics (5) and a proof of Nuprl’s 
consistency. This formalization allows for a safe and mechanical 
way to verify the soundness of existing as well as new rules. 


3 Library as State 


This section discusses the introduction of choice sequences into 
BITT’s computation system, in which the library plays a major 
role.Basically, the library is used as a state in which we store the 
choices of values that have been made for a particular choice se- 
quence at a given point in time. In mainstream programming lan- 
guages such information can be stored using global variables. How- 
ever, since proof assistants do not support global variables, the li- 
brary is treated as one to enable stateful computations. 


Figure 2 Library structure 


3.1 Open-ended Libraries 


Until now, a Nuprl library consisted of a list of definitions and lem- 
mas. We here introduce a new kind of library entries — that of 
choice sequences. A choice sequence entry is again a list, this time 
of terms. Thus, a library can be extended in two orthogonal di- 
rections: by adding more entries to the library, or by adding more 
values to a choice sequence entry (see Fig. 2, where C.S. stands for 
a choice sequence entry). This can be seen as an interpretation of 
Brouwer’s notion of a choice sequence progressing over time, as 
implemented by progressing over library extensions. 

In [39] choice sequences were treated as infinite sequences. Here, 
because we now have a concrete implementation, instead of a pri- 
ori assuming an infinite object, we take the infinite nature of choice 
sequences as potential. Choice sequences are: (1) essentially al- 
ways finite, (2) but ever growing. Accordingly, we capture these 
two components in different layers of the implementation. Choice 
sequences are finite at any stage of the library since they are im- 
plemented simply as lists. However, they are infinitely proceed- 
ing because the library is open-ended and can always be extended 
(this is accounted for in the interpretation of types as explained in 
Sec. 4). The fact that a library is open-ended allows for arbitrary 
extensions of any particular choice sequence, but also for the in- 
troduction of arbitrarily many choice sequences entries. 


3.2 Restrictions and Name Spaces 


Choice sequences are implemented such that each choice sequence 
entry in the library comes equipped with a restriction. There is a 
vast discussion in the literature about the various types of restric- 
tions: in [6; 7] there is a distinction between “definitive” restric- 
tions and “provisional” restrictions: definitive ones are permanent, 
and provisional ones can be lifted at a later stage; [43] discusses 
choice sequences which are “hesitant” (start free, but at any stage 
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may be restricted to continue by a law); and there is also a clas- 
sification of restrictions by their order (a restriction on future re- 
striction is a second-order restriction). Restrictions can be made in 
advance or imposed at any stage of the construction of a sequence. 

We implement a simple notion of restrictions, which are given 
in advance and can either be a law given as a Coq function f 
from numbers to terms, such that the nth entry of the choice se- 
quence has to be f(n); or some binary restriction predicate P on 
term/number pairs. In the latter case, P(n, t) expresses whether 
t is the nth choice. Also, in the latter case one has to provide a 
function of default values d (from numbers—positions in the list of 
choices—to choices), and a proof of P(n, d(n)), to ensure that the 
sequence can be extended with legal values. This does not mean 
that any choice sequence is restricted. One can construct an un- 
restricted choice sequence (one in which the choices can be any 
term) by employing the empty restriction, i.e. a predicate that 
always returns true (formally, An, t.True). When adding a new 
value to a choice sequence one has to prove that it satisfies the 
restriction of the sequence. For decidable restrictions, this can 
be done automatically by the system. Note that while we only 
support restrictions imposed a priori on a sequence, our restric- 
tions are parameterized by the position in the sequence of choices. 
Therefore, one can define a restriction that only applies to val- 
ues starting from a specific location. For example, the restriction 
An,t.if n < 10 then True else 2 < t, enforces that the choices 
starting from position 10 must be greater than or equal to 2, but 
choices up to position 10 are unconstrained. 

Two notable restrictions we shall use are the followings. The 
first restriction predicate enforces that the choices have to be natu- 
ral numbers, i.e., the restriction predicate is An, t.di € N. t = i. For 
this we supply the default value function An.0. The second restric- 
tion enforces that the choices have to be natural numbers, with the 
constraint that the first few values have to agree with a given list 
of numbers. Formally, given a list of natural numbers I, the restric- 
tion predicate is An, t.if n < |I| then t = I[n] else Ii € N. t = i.’ 
The default value function is An.if n < |I| then I[n] else 0. 

To capture key properties of choice sequences, our formaliza- 
tion further provides a mechanism for enforcing certain restric- 
tions through choice sequence name spaces. A choice sequence 
name is a pair consisting of a string and a constraint, where a con- 
straint can either be a number or a list of numbers. Constraints 
are used to enforce some restrictions as follows. The constraint 0 
enforces the choice sequence to be a choice sequence of natural 
numbers; any other number n > 0 does not constrain the type of 
values in the sequence (which leaves room for incorporating more 
specific constraints in future extensions). Finally, a list of numbers 
l is used to enforce that the choice sequence is a free choice se- 
quence of numbers such that the |/| first elements in it coincide 
with those given by the list l. For example, (”a”,0) states that a 
must be a free choice sequence of numbers; (”a”, 1) states that a is 
a free choice sequence that can be filled with any values—not just 
numbers; and (”a”, [3,2,5]) forces a to be a free choice sequence 
of numbers that starts with the choices 3, 2, and 5. 


Definition 3.1. BITT’s term syntax and operational semantics ex- 
tends those of Nuprl (presented in Sec. 2) with choice sequences. 
The formal extensions are given in Fig. 3, where we use C.S. as an 


5As usual, |Z] is the length of the list J, and I[n] is the (n + 1)th element of the list. 
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Figure 3 Extended syntax and operational semantics 


csn E CSName ::= (s, space) (C.S. name) 

s € RawCSName 

space € Space := n |[m;...; nk] (C.S. name space) 
v € Value n= +++ | seq(csn) (C.S.) 

vt € Type n= +++ | Free(n) (C.S. type) 

t € Term n= +--+ | if [Zit] then ż; else t4 (C.S. equality) 


if seq(csnı)=seq(csnz2) then t; else t Heyy tı , if csny = csn 
if seq(csn,)=seq(csn2) then t; else tz Hey, t2 , if csn # csn 
seq(csn)(i) xp  cs[i] , if cs[i] is defined in lib 


abbreviation for choice sequence, and n,n1,...,nz for variables 


ranging over natural numbers.° 


Name spaces are introduced for choice sequences which can ei- 
ther be a number or a finite list of numbers. A choice sequence 
name is a pair which consists of a raw name (i.e. the name identifier 
for the entry in the library—simply a string in our formalization) 
and a space name. The type of choice sequences is Free(n), where, 
as for choice sequences, n is a name space. We use 0 for the type of 
free choice sequences of natural numbers, and any other number 
n > 0 does not constrain the inhabitants of Free(n) (this, again, 
allows for the addition of other constraints in the future). The 
choice sequences are incorporated as values of the form seq(csn), 
where csn is a choice sequence name; and a new term of the form 
if t;=t2 then tz else t4 is introduced for their equality judgment. 
Since choice sequences are identified with their names, it computes 
by simply comparing the corresponding names. Bottom of fig. 3 
shows formally how it computes. Also, in addition to being able 
to apply A-abstractions, we allow applying choice sequences of the 
form seq(csn) to numbers. The application seq(csn)(i) reduces to 
cs[i] if 0 < i and if the i’s choice for the choice sequence named 
cs is available in the current library, in which case cs[i] returns 
that choice—otherwise, it is left undefined. Note that, unlike in the 
computation system described in Fig. 1, the extended computation 
rules explicitly depend on the current library. 


Definition 3.2. 


e Alibrary is called safe if the values of its choice sequences satisfy 
the corresponding restrictions, and those restrictions respect 
the names of the sequences (as mentioned above). 

e A library lib extendsa library lib;, denoted by extends(libo, lib), 
if each entry accessible in lib; is also accessible in libz. For a def- 
inition or lemma, the two entries have to be the same, and for a 
choice sequence entry, the list of choices made so far in lib; has 
to be a sublist of the corresponding list in lib. 


When defining an extension lib’ of a library lib one must pro- 
duce a proof that lib’ is safe assuming that lib is safe. For simplicity, 
we assume all libraries are safe in the remainder of the paper. 


3.3 Unbounded Objects 


Since choice sequences are open-ended objects, it might be that to 
prove a theorem or carry on a computation one needs to know the 
value of a choice sequence at a certain point, say the 8th element 
in the sequence, but at that given stage it is yet undefined. How do 
we want our formal system to behave in such a situation? In the 


®See https://github.com/vrahli/NuprllInCoq/tree/beth/computation/library.v for a de- 
tailed account of the extension of Nuprl’s computation system. 
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intuitionistic theory of free choice sequences, a reasonable answer 
will be ‘wait until the creative subject picks enough values in the 
sequence’. This suggest one possible implementation: the system 
can print out a message to the user asking for more values until 
there is sufficient data. Another possibility is to have the system 
automatically fill in values up to the desired place in the sequence. 
This can be done by some random numbers generator that is being 
called in such situations. We can even use a computable function 
to complete the particular segment of the sequence. The free na- 
ture of the sequence is kept because the generator (random or not) 
is only applied to create the values, and then only the values are 
stored in the library, thus the intensional information concerning 
the generation process can not be accessed. 

In our current implementation, when attempting to prove a state- 
ment that mentions a value in a choice sequence that is not yet reg- 
istered in the library, applications of the basic computation rules 
for that object will fail. The user then has to fill in enough of the 
sequence into the library in order to be able to complete the proof. 
As discussed above, it is possible to build a way to generate such 
values automatically on top of the current implementation. 


4 Beth-Style System 


The BHK/realizability/Curry-Howard Isomorphism semantics are 
interpretations of intuitionistic logic that make explicit its com- 
putational power and its connection to programming languages. 
While intuitionistic logic clearly holds computational content, this 
is not as evident in other well-known interpretations of it, such as 
the possible-world semantics, either Kripke semantics [31] or Beth 
semantics [21]. These two types of semantics are mainly used for 
the theoretical foundational exploration of intuitionistic logic, but 
their relationship to programming concepts is not clear. We next 
combine these interpretations in a way that fleshes out the compu- 
tational interpretation of the latter as well. 

Since choice sequences evolve dynamically as more and more 
values are recorded in the library, supporting reasoning about them 
compels modifications to the semantics of Nuprl. Accordingly, this 
section describes the modified semantics of BITT, and its resulting 
type system. As choice sequences are implemented as entries in 
the library, the notion of a truth of a sequent must now also de- 
pend on the current state of the library, allowing our libraries to 
expend (under certain restrictions). Thus, the libraries essentially 
behave as the worlds in the possible-world semantics, where in any 
particular state of the library the semantic is induced by the real- 
izability semantics. This provides a computational interpretation 
for the possible-world semantics in terms of libraries. 


4.1 Modifying the Semantics 


To support the evolving nature of the library, in [40] the seman- 
tics of sequents in Nuprl was modified into a Kripke-like seman- 
tics. There, the semantics of types and sequents was parametrized 
by a library, and then constrained so that a sequent is true in a li- 
brary only if it is true in all possible extensions of the current library. 
Nevertheless, such generalization of the semantics is insufficient to 
support choice sequences. To demonstrate the problem, consider 
the claim “there is some value in a given place of a choice sequence” 
(e.g., formally, 4x.a(100) = x). This should be a valid statement in 
the theory of choice sequences, based on their “infinitely proceed- 
ing” nature. However, if in the current stage of the library the 
choice sequence a has only three values, this will be false under 
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the Kripke-like semantics, since there are extensions of the library 
in which the 100th value is yet to be filled in. Settling this requires 
further generalization of Nuprl’s semantics, into a Beth-like one. 

In both Kripke and Beth semantics, if a sentence is true on the 
basis of a given state of knowledge it will also be asserted to be 
true in later states of knowledge. The difference appears on how 
it is asserted to be true. For example, intuitively, in Kripke mod- 
els an object is said to exist in a given state if it exists in all later 
states of knowledge, whereas in Beth models it exists if in any path 
through the states of knowledge starting from the given one there 
exists a point from which on the object exists. Normally in a con- 
structive setting something exists only if it has been constructed. 
In contrast, using the Beth semantics, roughly speaking, one gets 
to assert the existence of objects by forcing them to “eventually” 
exist, without really constructing them. (The Beth semantics bears 
some resemblance to the notion of forcing [14].) 

In [19] Beth models were used to validate the axioms of the the- 
ory of lawless sequences (and the axioms of the theory of the cre- 
ative subject, Bar Induction and the Continuity Principle). Inspired 
by this work in BITT we have turned Nuprl’s PER semantics into 
a Beth-like model. The fundamental component in Beth semantics 
is that of a bar. Roughly speaking, a bar b for a world w is a subset 
of the collection of worlds such that each path through w inter- 
sects it (see Def. 4.1 for a precise definition). The key difference 
from the more well-known concept of Kripke models lays in the 
definitions of the disjunction and the existential quantifier, which 
now depend on bars. Those are defined as follows: 


e ọ V y holds in a world w if there is a bar b for w, such that for 
each w’ € b, ọ holds in w’ or y holds in w’. 

e 4x.9 holds in a world w if there is a bar b for w, such that for 
each w’ € b, there exists an element d in the domain for which 


o(d) holds in w’. 


Under this semantics the statement 4x.a(100) = x is valid be- 
cause there is a bar b of the current library such that in every li- 
brary in b, the 100th element of the sequence a is filled in, and from 
that point on it remains fixed (see Sec. 5 for more details regarding 
the validity of this statement). This demonstrates the imperative- 
ness of the Beth semantics, and in particular of the notion of bars. 


4.2 Bar Hopping 


To define the key concept of a bar we first introduce the notion 
of infinite libraries. They are concretely implemented as functions 
from numbers to infinite library entries, where choice sequences 
have all their slots filled in. We also require that every infinite 
library has to have en entry for every named choice sequence. 


Definition 4.1 (Bars). A bar of a library lib is a collection of li- 
braries b such that for each infinite library ilib that extends lib, 
there exists a finite library lib’ in b such that extends(lib’, lib) and 
ilib extends lib’. We use beBar(lib) to denote that b is a bar of lib, 
in which case we also say that b bars lib. 


Intuitively, being a bar of a library lib means that any way in 
which lib can be extended always hits the bar, i.e. there is always 
an intermediate extension of lib that is in the bar. For any library 
lib there exists a trivial bar containing only lib, i.e., {lib} bars lib. 
Also, it follows from the definition that bars are non-empty. 
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We use the following abstractions below to interpret types: 


allExt(lib, f) = Vlib’. extends(lib’, lib) => f(lib’) 
allBar(b, f) = Vlib’eb. allExt(lib’, f) 
exBar(lib, f) = AbeBar (lib). allBar(b, f) 


allExt(lib, f) states that all extensions of lib satisfy f; allBar(b, f) 

states that all extensions of all libraries in b satisfy f; and finally 

exBar(lib, f) states that there exists a bar of lib such that all exten- 

sions of libraries in it satisfy f, i.e. that f holds from that bar on. 
We next introduce some useful operations on bars. 


Lemma 4.2 (Intersection of bars). Let b} and bz be two bars of a 
library lib. Then, the following collection is also a bar of lib: 


by Nb = 
{lib! | Ilib € by, liby € by.extends(lib’, lib}) A extends(lib’, liby)} 


Note that the intersection bj N bz builds a monotone bar, in the 
sense that if a library is in the bar, then all its finite extensions are 
also in the bar. Because types and PERs are interpreted in terms 
of existence of bars, we constantly need to intersect bars to prove 
properties about those. For example, to prove transitivity of the 
BAR operator defined in Sec. 4.3, because given two different bars 
we had to compute a third one that covers both of them. 


Lemma 4.3 (Raising bars). Let b be a bar of a library lib, and libo 
be another library. Then, the following collection is a bar of both libo 
and b (in the sense that it bars every library in b): 


b 7% = { lib’ | Ilib” € b.extends(lib’, lib’) A extends(lib’, libo)} 


p qiibo is essentially a simple intersection, where one bar is b 
and the other one is the trivial bar {libọ}. A prototypical example 
of the use of the bar raising operator arises in the proof of Thm. 
4.14 below, where from a bar of a library lib and an extension lib’ 
of that library, we need to construct a bar of lib’. 


Lemma 4.4 (Families of bars). Let f be a family of bars of lib, i.e., a 
function from extensions of a library lib to corresponding bars. Then, 
the following collection is a bar of lib: 


U f = {lib’ | Alib” .extends(lib”, lib) ^ lib’ eBar(f(lib’’))} 


U f is an infinite intersection. It is useful, among other things, 
to collapse/expand bars. 


Lemma 4.5 (Collapsing/expanding bars). For a given library lib, 
exBar(lib, Alib’ .exBar(lib’, f)) is equivalent to exBar (lib, f). 


The above lemma allows us to: (1) collapse two layers of bars, i.e. 
a bar bı and a bar be that bars every library in b1, into one (the = 
direction); and (2) expand a bar to two layers of bars (the & direc- 
tion). Collapsing bars is used to simplify definitions that accumu- 
late bars, while expanding bars gives us some leeway in proving 
the existence of bars in the context of several barred propositions. 


4.3 Type Semantics 


Let us now describe our Beth model, where types are interpreted 
as PERs on closed terms. This section culminate in the definition 
of the BITT type system, which in turn is used to formally define 
type equality ,T=;;,T’, and equality in a type ,a=);,b€T. Those are 
here parameterized by a library unlike the ones discussed in Sec. 2. 

A type system Tī is a 4-ary relation between a library lib, two 
closed terms T and T’, and a binary relation ¢ on closed terms, 
which expresses when T and T’ are equal types, and defines ¢ as 
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the PER of those types in lib.” As is standard practice, to define 
BITT below we first define operators that interpret the various type 
constructor of the type theory. We then recursively define an hi- 
erarchy of universes by closing lower universes under the type 
constructors of the theory. Finally, BITT is the collection of all uni- 
verses closed under the type constructors of the theory. 

The PER model described in [2; 3; 18; 5] is modified so that 
expressions need only be defined in a bar of the current library.’ 
For example, until now the integer type was interpreted as follows: 


INT(r)(lib,T,T’, 6) =T Vin ZAT Yip ZA (G & INTper(lib)) 


where t is a type system; ¢ is a binary relation on closed terms; 
ġı & gz stands for Yt, t’. t 1 t’ — > t $2 t’; a lip b denotes 
that a computes to b in the library lib; and 


INTper(lib) = At, t’ i. t Yup i^t ipi 


This states that T and T’ are equal types of the type system 7 if they 
both compute to the integer type Z, and ¢ is Z’s PER, i.e., t and t’ 
are equal members of Z if they both compute to some integer i. 

In our Beth model, INT is defined similarely, using INTperb in- 
stead INTper, which incorporates bars into the definition: 


Definition 4.6 (Integer type). 
INT(r)(lib, T,T’, 6) =T Yip ZAT’ Yip ZA( = INTperb(lib)) 
where INTperb(lib) = At, t’.exBar(lib, Alib’.t INTper(lib’) t’). 


We applied similar changes to the other type constructors. For 
example, union types are now interpreted as follows: 


Definition 4.7 (Union type). 
UNION(r)(lib, T, T’, $) = Iya, Wp, A, A’, B, B’. 
T Vip A+B AT’ Jip A+B’ 
A allExt(lib, Alib’ .t(lib', A, A’, Ya(lib’))) 
A allExt(lib, Alib’ .t(lib', B, B’, Wp (lib’))) 
A ($ <=> UNIONperb(lib, Ya, Yp)) 
where: 
UNIONperb(lib, Ya, Yp) = 
At, t’.exBar(lib, Alib’ .INLper(t, t’, lib’, Ya) V INRper(t, t’, lib’, Yp)) 
INLper(t, t’, lib, Y) = Ax, y. t Jup inl(x) A t Yip inl(y) A x y(lib) y 
INRper(t, t’, lib, Y) = Ax, y. t Jup inr(x) A t Wy inr(y) A x y(lib) y 
and y denotes a function that associates binary relations on closed 
terms with libraries. 


Note that UNION requires A, A’, B, B’ to be types in all extensions 
lib’ of lib such that q(lib’) is the PER of A and A’, and wp (Lib’) is 
the PER of B and B’. This is so that Ya and yp can be used to define 
the PER interpretation of union types in terms of a bar of the cur- 
rent library. They provide the PERs of A and B in all extensions of 
lib, so that we can define the PER of the union type A+B in terms of 
the existence of objects in the PERs of A and B ina bar of lib, i.e., in 
extensions of lib, by applying Ya and yy to those extensions. Know- 
ing the PER of A and B only in the current library is insufficient for 
such a construction. In Sec. 4.4 we show that type interpretations 
are monotonic, therefore that if lib’ extends lib then Wq(lib) and 
Wp (lib) are subsets of Ya(lib’) and yp (lib’), respectively. 

We also add a new constructor, BAR, that assigns meaning to 
types at a given library lib, provided they are defined in a bar of lib. 


"Instead of using induction-recursion (not yet fully supported by Coq) to define 
T=,jpT’ and azb ET, we use Allen’s method [3], and define a 4-ary relation, BITT, 
between a library, two types and a PER, from which we derive T=);)T’ and a=);,b€T. 
8See https://github.com/vrahli/NuprllnCoq/tree/beth/per/per.v. 
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This is critical to obtain the locality property of the type system, 
discussed in Sec. 4.4, which is a salient feature of Beth models. 


Definition 4.8. The BAR constructor is defined as follows: 
BAR(r)(Lib, T, T’, ġ) 
= AbeBar(lib). Sy. allBar(b, Alib’.c lib’ T T’ (W(lib’))) 
Ag <=> BARperb(b, y) 


where: 
BARperb(b, Y) = At, t’.allBar(b, Alib.exBar (lib, Alib’ .t y(lib’) t’)) 


We also add a new constructor FREE that assigns meaning to the 
new Free(n) types: 


Definition 4.9. The FREE constructor is defined as follows: 
FREE(r)(lib, T, T’, 6) = An. T ij Free(n) AT’ Yip Free(n) 
A (ġ <> FREEperb(iib, n)) 
where: 
FREEperb(lib, n) = At, t’.exBar(lib, Alib’.FREEper(lib’, n)) 
FREEper(lib’,n) = Acsn. t Jyp seq(csn) A t’ Yip Seq(csn) A n#csn 


and where n#csn states that n is compatible with csn, i.e, n = 0 
implies that csn’s space part is either 0 or a list of numbers (in both 
cases, constraining the choice sequence to consist of numbers). 


As in [2; 3; 18; 5], and as explained by Crary [18], we then de- 
fine a closure operator CLOSE that, given a type system 1, builds 
a larger type system from the types in 7t (e.g., INT and BAR) using 
any type constructors except universes.” Intuitively, if r contains 
all universes up to some universe Uj, then CLOSE(r) contains all 
types built from those universes, i.e., all members of Uj+1. 


Definition 4.10. CLOSE is the smallest type system such that: 


CLOSE(r)(lib, T,T’, 6) => 
r(lib, T, T’, $) V INT(r)(lib, T, T’, $) V UNION(r)(lib, T, T’, $) 
V FREE(r)(lib, T, T’, $) V BAR(t)(lib, T, T’, 6) V «+ 


where t(lib, T, T’, ġ) states that T and T’ are equal types in the type 
system T, with PER ġ¢ in the library lib; and the rest of the disjunc- 
tion contains the other type constructors, excluding universes. 


Next, we define for every natural number i the type system 
UNIVi(i) containing all universes up to some level i by induction 
on i, and then use those to define the type system UNIV containing 
all universes as follows: 


Definition 4.11. 
UNIVex(lib, T, T’, $) = Ji. UNIVi(i)(lib, T, T’, $) 
UNIV(lib, T, T’, 6) = BAR(UNIVex)(lib, T, T’, $) 


Finally, we define the BITT type system, from which we derive 
the T=);,T’ and a= ;,b€T relations: 


Definition 4.12 (BITT type system). 


BITT = CLOSE(UNIV) 
T=)jpT’ = 3d. BITT(lib, T, T’, 6) 
a=);pb€T = Ad. BITT(lib,T,T, $) Aad b 


The definitions presented in this section differ from the ones 
in [2; 3; 18; 5] in two ways: (1) they depend on a library; and 
(2) universes are closed using the BAR in order to guarantee that 
the type system satisfies the locality property discussed in Sec. 4.4. 
°Our formalization currently includes sum types, pi types, equality types, choice 


sequence types, integer types, approximation and computational equivalence types, 
base types, name types, set types, image types, union types. 
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4.4 Type System Properties 


We start by showing that BITT satisfies the key properties of a type 
system [2; 3; 18; 5]. 


Theorem 4.13 (Type system properties). BITT satisfies the follow- 
ing properties (free variables are universally quantified): 


Uniqueness: BITT(lib, T, T’, p) = BITT(lib, T, T’, f') > (6 == ¢’) 
Extensionality: BITT(lib, T, T’, 6) > ($ <— > ¢’) = BITT(lib, T, T’, $’) 
Type transitivity: 

BITT(lib, Ti, T2, 6) = BITT(lib, To, T3, $) = BITT(lib, Ti, T3, $) 

Type symmetry: BITT(lib, T, T’, 6) = BITT(lib, T’, T, $) 
Type computation: 

BITT(lib, T, T, ġ) = allExt(lib, Alib'.T ~y T’) = BITT(lib, T, T’, ġ) 
Term transitivity: BITT(lib, T, T’, $) > tı $ t2 > t: $ t > tı ots 
Term symmetry: BITT(lib, T, T’, dP) >tọt' >t dt 
Term computation: 

BITT(lib, T, T’, 6) = t Pt = allExt(lib, Alib’.t ~jy t') => tọ t 


Uniqueness ensures that BITT uniquely defines PERs (up to ex- 
tensional equality—see Extensionality). All four transitivity and 
symmetry properties ensure that the relations T=);,T’ and a=);,b€T 
derived from BITT are partial equivalence relations. Finally, the 
two computation properties ensure that T=);,T’ and a=);,b€T re- 
spect Howe’s computational equivalence relation. 

The above properties are similar to those presented in [2; 3; 
18; 5], except here we use allExt(ib, Alib’.t ~jy t’) instead of 
t ~1 t’ in the properties about computation. This is to enforce 
that the semantics is monotonic as discussed below. To see why 
this is necessary, consider a library lib that contains a choice se- 
quence entry a whose 5th element has not yet been chosen. Then, 
a(5) is computationally equivalent to L w.r.t. lib (since both do not 
compute to values), but it is not computationally equivalent to L 
w.r.t. some extension of lib that defines a(5) to be, say, 0. 


Proof outline. The main challenge in proving those properties is to 
show that the CLOSE operator preserves them, which we prove by 
induction on CLOSE. Since CLOSE is closed under bars using the BAR 
operator, it is helpful to use the locality property discussed below, 
and therefore we prove those properties by mutual induction.!° 


m| 


The two unique properties of possible-world semantics, and thus 
of our new type system, are monotonicity and locality. While the 
former is a general feature of possible-world semantics, the sec- 
ond is a distinctive feature of Beth models. Monotonicity ensures 
that true facts remain true in the future, and locality allows one to 
deduce a fact about the current library if it is true in a bar of that li- 
brary. Given the aforementioned interpretation of types, it is then 
straightforward to prove BITT’s monotonicity w.r.t. libraries. As 
opposed to locality which is proven by mutual induction, mono- 
tonicity can be proved independently.!! 


Theorem 4.14 (Monotinicity). 
BITT(lib, T, T’, ) = Aw. Vlib’. extends(lib’, lib) 
= BITT(lib’,T,T’, y(lib’)) 
A bE (lib) A monPer (lib’, Y) 
where $; E 2 stands forVt, t’.t $1 t’ = t $2 t’, andmonPer(lib’, y) 
stands for Vlib’. extends(lib’, lib) = (lib) E y(lib’). 


10See https://github.com/vrahli/NuprllnCoq/tree/beth/per/nuprl_type_sys.v. 
See https://github.com/vrahli/NuprllnCoq/tree/beth/per/nuprl_mon_func2.v. 
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Thanks to the BAR constructor, it is also straightforward to prove 
BITT’s locality:1? 


Theorem 4.15 (Locality). 


allBar(b, Alib’ BITT(lib’, T, T’, y(lib’))) 
= BITT(lib, T, T’, BARperb(b, y)) 


4.5 Characterization Lemmas and Inference Rules 


Once we have proved that BITT satisfies the above desired prop- 
erties, we can provide characterization lemmas for each type con- 
structor which describe when two given types are equal, and when 
two values are equal in a that type. We then use those characteri- 
zation lemmas to validate BITT’s inference rules. We here provide, 
as an example, the characterization lemmas for the union types. 


Lemma 4.16. The following two equivalences are provable: 
A+Bz=);)A’+B’ => (A=lip A A Bz ;,B’) 
a=|p,bEA+B > 
AZA A Bz)i,B 
A exBar(lib, Alib’.INLeq(a, b, lib’, A) V INReq(a, b, lib’, B)) 
where 


INLeq(ż, t’, lib, T) = Ax, y. a up inl(x) A b Yip inl(y) A x=rnpy ET 
INReq(ż, t’, lib, T) = Ax, y. a up inr(x) A b Yip inr(y) A x=rnpy ET 


Proof outline. For the => direction of the first equivalence, we have 
to show, among other things, that if A+B=);,A’+B’ then A=);,A’. 
Because the T=);,T’ relation is defined in terms of BITT whichis, in 
turn, defined in terms of CLOSE, and because the CLOSE operator is 
closed under bars using BAR (which is necessary to obtain locality), 
from A+B=);,A’+B’ we obtain that A+B and A’+B’ are equal in a 
bar of lib. This entails that A and A’ are equal in a bar of lib, from 
which, using BITT’s locality, we obtain A=);,A’. 

To prove the & direction of the first equivalence, we show that 
A+Bz=);,A’+B’ follows from A=);,A’ and B=;;,B’. To prove this, we 
have to prove that A, A’, B, and B’ are types in all extensions lib, 
as required by UNION (defined in Sec. 4.3). We derive that from 
A=;A’ and B=,,B’, and from the monotonicity of BITT.!° a 


We use these characterization lemmas to validate introduction 
and elimination rules for BITT’s types, such as the following intro- 
duction rule for union types, which states that if a is a member of 
A (and B is a type) then in1(a) is a member of A+B:!4 


HtAlettal] H+tBevu; 
Ht A+B | ext inl(a)| 


In addition to proving the validity of such rules, we have also 
proved that BITT is weakly consistent w.r.t. Coq’s consistency, in 
the sense that the proposition False is not derivable.» 


5 Non-Computable Functions Type 


Now that choice sequences are integrated into the system, in this 
section and the next one we demonstrate the adequacy of the im- 
plementation for the theory of choice sequences. Accordingly, we 
prove the validity of inference rules and axioms concerning choice 
sequences. We do so using the Coq formalization of BITT. Thus, 
a rule or an axiom is said to ‘hold in BITT if it was formally vali- 
dated using the metatheory developed in this paper. 


12See https://github.com/vrahli/NuprllnCoq/tree/beth/per/nuprl_props.v. 
13See https://github.com/vrahli/NuprllnCoq/tree/beth/per/per_props_union.v. 
14See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_union.v. 
15See https://github.com/vrahli/NuprllnCoq/tree/beth/per/weak_consistency.v. 
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This section shows how BITT’s function type (i.e. non-dependent 
product type) extends Nuprl’s. To extend the notion of computabil- 
ity, the choice sequences of numbers are incorporated into the 
function type N — N (also called the Baire space, 8). This is pos- 
sible since the Nuprl system (on which BITT is based) was never 
limited to assume that function types contain only computable (re- 
cursive) functions. We have validated the following rule in BITT, 
which asserts that all choice sequences are in the Baire space. 


Proposition 5.1. The following holds in BITT: 
Ht f € Free(0) 
Htrfes 


Proof outline. Let lib be the current library, f a free choice sequence 
of numbers (because of the use of 0 in Free(0)) with name csn, and 
n a natural number. We have to prove that f(n) is in N. To prove 
that, it is enough to pick a bar b of lib such that f(n) computes to 
a number in b. This bar is simply the library lib extended so as to 
contain at least n values for the choice sequence named csn.!6 o 


Considering choice sequences as functions might seem odd. Nev- 
ertheless, recalling the standard mathematical definition of a func- 
tion as a single-valued relation demonstrates that there is no a pri- 
ori assumption of a governing law. So the “free choice" principe is 
not in any contradiction to the abstract notion of a function. As 
for the “infinitely proceeding” property, a choice sequence might 
be thought of as a partial function with an undefined tail. This 
is also compatible with Nuprl which allows for partial functions, 
albeit in a somewhat different notion. The partialness of a choice 
sequence is a consequence of the fact that at any given stage of the 
library there is a tail of the sequence that is not yet defined. How- 
ever, as opposed to the standard concept of partial functions, the 
partialness of a choice sequence is local. That is, a choice sequence 
has the guarantee that all of its values will get filled “eventually”. 

Proposition 5.1, in turn, allows us to prove simple facts about 
choice sequences of numbers. For example, we can prove a gener- 
alized version of the example given in Sec. 4.1:!7 


Va : Free(0). Yn : N. 3x : N. a(n) =N x 


Both choice sequences and recursive computable functions in- 
habit the B type because the meaning of a type is determined 
by its operations, and the only operation on a function type is 
apply. As mentioned in Sec. 3, we already modified the behav- 
ior of apply by changing the computation system to allow apply- 
ing choice sequences to numbers to access already made choices. 
Because the computation system is “externalized” through infer- 
ence rules which we use to reason about computation, such as 
[ApplyCases] presented below, those also need to be adjusted. 

In [39] the inference rule [ApplyCases] already had to be modi- 
fied to include the metatheoretical possibility that f(a) might com- 
pute to a value also in case f is a choice sequence, not only if it 
computes to a A-term. The modification of the rule was as follows: 


Hthalts(f(a)) Ht f € Base 
Ht f ~Ax.f(x) V isChoiceSeq(x, z, f) Lext iflam(f, tt, ff)] 
where isChoiceSeq(x, z, f) only stated that f diverges on non- 


integer inputs. This modification was required so to not exclude 
choice sequences, even though in the theoretical syntax of Nuprl 


16See https://github.com/vrahli/NuprllInCoq/tree/beth/rules/rules_choice.v. 
7 See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_choice3.v. 
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f =~ Ax.f (x) would always hold. This is not the case anymore. 
Because we include choice sequences in BITT’s syntax, the right- 
disjunct of the conclusion is now plausible. Therefore we refine 
the predicate isChoiceSeq in a way that captures the computation 
of choice sequences in a more precise way. We do so by replac- 
ing isChoiceSeq(x, z, f) with: isChoiceSeq(f) = f € Free(1), 
where 1 is used here to express that there are no restrictions on 
the choice sequence f—its choices do not have to be numbers.!® 


6 Validating the Axioms for Choice Sequences 


In this section we validate in BITT key properties governing choice 
sequences that have been suggested in the literature. We focus 
on choice sequences of natural numbers, i.e. members of Free(0). 
We adopt van Dalen’s formalization of the three axioms for choice 
sequences given in [19], which are due to Kreisel [28]. We have 
found that these are essentially at the intersection of the various 
choice sequence theories. 


6.1 Extending Initial Segments 


The axiom named LS1 in [19], states that for any finite list of val- 
ues I, there is a choice sequence that extends it, i.e. one that agrees 
with / on its first |l| values. LS1 is a statement about the universe 
of choice sequences. Intuitively, it promises that there are enough 
choice sequences. This is the only existential axiom for choice se- 
quences. We have validated a simple squashed (see Sec. 2) ver- 
sion of LS1 in BITT, which we present in Prop. 6.1. In addition, 
as discussed in Appx. C, we have validated a more involved non- 
squashed version of LS1, which we do not discuss here for space 
reasons, and which required extending BITT with computations 
to generate a choice sequence name a € Free(0) given a finite se- 
quence of numbers, provided as a pair of a number n € N anda 
function f € Bp (see Prop. 6.1). Using the | operator, however, 
allows us to compute this choice sequence in the metatheory. 


Proposition 6.1 (Extending initial segments). The following holds 
in BITT (where Bn = Nn > N forNy = {k:N |k < n}): 


Vn : N. Yf : Bn. Ja : Free(0). f =g, a 


Because this proposition is squashed, its extract is simply An, f .x, 
i.e., it does not have any computational content. 


Proof outline. Let n be a Nuprl term that inhabits N, and f be a 
Nuprl term that inhabits 8,,. In the metatheory we can build a Coq 
list of Coq numbers such that for all m < n, f(m) computes to the 
mth number in l. Using this list we build a choice sequence cs that 
includes / in its name so as to enforce that its n first values have to 
match the values in / (as explained in Sec. 3.2). Then, cs is added 
to the current library libo, and its n first values are filled. This 
forms a bar of libo due to the restriction on libraries that enforces 
that an initial segment provided in a choice sequence name has 
to be respected in extensions. Finally, we use this bar to prove 
{Ha : Free(0). f =g, a. Note that we need to fill the n first values 
of the cs choice sequence to ensure that we can prove f =g, cs. 
We can start using this bar either when proving the existential, or 
later when proving the equality.!” o 


Note the use of name spaces in the above proof. Those were 
introduced to Nuprl for exactly this purpose, i.e. in order to be able 


18See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_apply.v. 
19See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_choice.v. 
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to guarantee the existence of a specific choice sequence in principle, 
without having to actually add it to the library. 


6.2 Decidability of Equality 


The axiom named LS2 in [19] states that intensional equality over 
choice sequences is decidable. As for LS1, this is an axiom about 
the universe of choice sequences. In general, since choice sequences 
are identified with their names in the library, any two different 
entries of choice sequences are computationally distinct. Accord- 
ingly, we have validated the following versions of LS2 in BITT (see 
Appx. D for more details): 


Proposition 6.2 (Decidability of equality). The following inten- 
sional’? and extensional’! versions of LS2 hold in BITT??? 


Va,b: Free(0). axb V ~ab 
Va, b : Free(0).a =g b V ~a =g b 


and are both inhabited by the term: Aa, b.if a=b then tt else ff. 


6.3 The Axiom of Open Data 


As opposed to LS1 and LS2, which characterize the universe of 
choice sequences, the axiom named LS3(1) in [19] (also known as 
the “Axiom of Open Data” [44]) is concerned with ways in which 
they are to be reasoned about. It states that if a property (with 
certain side-conditions) holds for a choice sequence a, then there 
exists a finite initial segment of a such that g holds for all choice 
sequences that agree with a on this initial segment. In other words, 
the validity of g(a) depends only on a finite initial segment of a. 

LS3(1) is a generalized form of the Continuity Principle. Fol- 
lowing [29, p.154; 45, Thm.IIA; 22], we have already shown that 
the non-squashed Continuity Principle is incompatible with Nuprl. 
(However, we have proved in [38] that squashed versions of the 
Continuity Principle are consistent with Nuprl.) Therefore, we will 
only be able to validate a squashed version of LS3(1). Using the | 
squashing operator, this can be formulated as follows (where a is 
the only choice sequence in ¢(a)): 


Va: Free(0). p(a) = JAn : N. Vb: Free(0). (a=n, b = ¢(b)) 


The informal justification for this claim in our implementation 
of choice sequences seems straightforward. In any concrete stage 
of the library, it only contains a finite initial segment of a. Thus, if 
at a certain state of the library we managed to deduce that a satis- 
fies a certain property, the same conclusion should be inferred for 
any other choice sequence that shares that same finite information. 

Formally validating it in BITT entails first internalizing the con- 
straint on g. This could be done using a nominal mechanism (such 
as in [1]) which checks for names appearing in g. Assuming that, 
validating the axiom in our implementation of choice sequences 
turns out to amount to some key properties about the behavior of 
libraries, namely, monotonicity and name-invariance. Those were 
shown to hold for Nuprl in [40], however, proving they hold in 
BITT, and therefore also validating LS3(1), is left for future work. 


20 See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_choice2.v. 

?1 See https://github.com/vrahli/NuprlInCoq/tree/beth/rules/rules_choice5.v. 
?2Recall that = denotes the theoretical counterpart of the metatheoretical relation ~. 
Here, a = b means that a and b compute to the same choice sequence. 
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7 Conclusions 


We have developed an extension of Nuprl’s type theory, called 
BITT, which incorporates choice sequences. Next, we plan to up- 
date Nuprl accordingly, thereby turning it into a truly intuitionis- 
tic proof assistant. More so, it will be the only one, as far as we 
know, which supports any form of non-determinism. As such, we 
strongly believe this new version of Nuprl could be used to model 
large distributed systems. Investigating this application, as well as 
the exploration of others, is left for future work. 

Another future research task is to investigate the foundational 
intuitionistic implications of this new type theory, namely : spreads, 
Bar Induction, and the Continuity Principle (CP). For example, CP 
was proven in Nuprl using exceptions [39]. In [13] the authors 
formalized choice sequences as monadic streams and internally 
proved CP for natural monadic stream functions. It has also been 
shown that one can use references to obtain CP [32]. We conjec- 
ture that our implementation of choice sequences can be used in- 
stead of the methods above to realize CP. 

It is also interesting to determine the status of other well known 
principles in the new type theory, such as Markov’s principle (MP) 
and Kripke’s Scheme (KS). MP has recently been studied in the con- 
text of type theory [17; 16]. In particular, [16] established the inde- 
pendence of MP with Martin-L6f’s type theory. MP was shown to 
be consistent with Nuprl (using a squashed form of excluded mid- 
dle), however it was also shown in Nuprl, following [9, p.116; 44, 
Ch.4,Sec.9.5], that MP is inconsistent with KS [39, Appx.H]. Now, 
in [19] van Dalen used Beth models to validate KS. Given that we 
now invoke a Beth semantics, the status of these principles and 
their connection has to be settled. As discussed in Appx. B, we 
have so far proved that MP is false in BITT. 

Another direction for future work is to determine whether BITT 
exhibits versions of the Axiom of Choice (AC). Berardi et al. [8] pro- 
posed an interpretation of classical analysis with AC, where the 
negative translation of AC is realized by a bar recursion-like oper- 
ator. They achieve this by adding infinite sequences to their term 
language, which can be seen as lawlike choice sequences. Herbe- 
lin showed in [23] how to realize the Axiom of Countable Choice, 
the Axiom of Dependent Choice, and Bar Induction in a classical 
logic with strong (computational) existential called dPA®. Herbe- 
lin used steams, which can also be seen as some form of lawlike 
choice sequences, to compute the witnesses of the existential for- 
mulas in these axioms. Miquey [34] refined this work and proved 
the strong normalization (therefore also soundness) of a variant 
of dPA® presented as a sequent calculus. Using the current im- 
plementation, we aim to improve on previous results and derive 
squashed versions of the Axiom of Countable Choice directly in 
Nuprl, without using classical logic. 
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Computability Beyond Church-Turing via Choice Sequences 


A The Law of Excluded Middle 


As explained in [1; 5; 6; 9, Appx.F; 8, Sec.6.3], the non-squashed law 
of excluded middle (LEM) is false in Nuprl. However, the following 
{-squashed LEM is consistent with Nuprl: 


Ht |(P+-P) 
BY [LEM] 
H+PeUi 


One can prove that this inference rule is consistent with Nuprl 
using the law of excluded middle in the metatheoretical proof of 
its validity w.r.t. Nuprl’s PER semantics as shown in https://github.co 
m/vrahli/NuprllnCoq/blob/master/rules/rules_classical.v. This seemingly clas- 
sical principle is therefore computationally justified in the sense 
that the conclusion of the rule is inhabited by *. As proved in [6, 
Thm.4.2], it implies Markov’s principle, which is a principle of con- 
structive recursive mathematics (CRM), also called Russian con- 
structive mathematics [2, Ch.3]. Coquand and Mannaa [3] showed 


the independence of MP with Martin-Léf’s type theory. Their method 


consists in providing a forcing extension of type theory, which con- 
tains a “generic” infinite sequence of Booleans, and where types 
are interpreted using a Beth model. They only need sequences 
of Booleans to ensure that sequences can always be extended with 
two distinct values. Kripke also proved a similar result for Kreisel’s 
FC system of absolutely free choice sequences [7, p.104]. 

Similarly, we can directly prove that the |-squashed LEM is not 
consistent anymore with BITT because of a similar reason as for 
MP. To prove the validity of the |-squashed LEM, we would have 
to prove in the metatheory that for all propositions, there exists 
a bar of the current library such that either (1) the proposition is 
true at the bar, or (2) that it is false in all extensions of the bar. 
This is not possible anymore because choice sequences can always 
evolve differently when multiple choices are possible. We can now 
validate the following axiom in the metatheory:”° 


Ht AVP: Uj. {(P+P) 
BY [NOT-LEM] 


To prove this in the metatheory, we first pick a fresh name of an 
empty choice sequence of numbers, say csn. We then instantiate 
the universally quantified formula with 3n : N. csn(n) =y 1. We 
use 1 here instead of 0 as in [3] for convenience, because we use 
0 as default value for choice sequences of numbers. We can then 
prove that 3n : N. csn(n) =y 1 is not inhabited in the current 
library because for all bars of the current library, there is always 
a library in the bar that can be extended so that the csn sequence 
does not contain 1, for example, filling up the sequence with the 
default value 0. Also, we can prove that ~n : N. csn(n) =n 1 is 
false because we can prove that there exists an extension of the 
current library where the choice sequence contains the choice 1. 


B Markov’s Principle 


As mentioned above Markov’s Principle (MP) was shown to be con- 
sistent with Nuprl (using a certain squashed form of excluded mid- 
dle). However, MP is not true anymore in BITT for similar reasons 
as in [4; 3]. We showed that MP is false using a similar method as 
in Appx. A, i.e., we proved:74 


VP : bool . ~(Yn : N. PEM = Jn: N. (Pn) 
3See https://github.com/vrahli/NuprlInCoq/blob/master/rules/rules_not_classical. 


v. 
24See https://github.com/vrahli/NuprlInCoq/blob/master/rules/rules_not_MP.v. 
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To prove that MP is not true, i.e, not inhabited, we will derive 
False from MP in all extensions of the current library. Let lib; be 
such an extension. To prove this we will now reserve the names- 
pace 2 for Booleans. Let csn be a fresh choice sequence name in that 
namespace—csn is fresh w.r.t. libı. We now instantiate MP with csn. 
It is easy to prove that csn has type bool because its namespace 
constrains its choices to be Booleans. Then, (1) we will prove that 
~(Yn : N. af(csn(n))) and finally (2) we will derive False from 
An : N. T(csn(n)). 

(1) To prove =(Wn : N. =T(csn(n))), we derive False from Vn : 
N. =7(csn(n)), and this for all extensions of lib. Let lib) be such 
an extension. The choice sequence csn might be filled with some 
Booleans in that library libo. Let us assume that it is filled with k 
Booleans. We then instantiate Yn : N. =T(csn(n)) with k, and we 
get to assume that in all extensions lib of lib, T(csn(n)) is not in- 
habited. We create such an extension simply by adding the choice 
tt to the choice sequence csn, i.e., tt is the k’s choice in that se- 
quence. We now instantiate our assumption with this library, and 
we have to derive False from f(csn(k)), which is trivial because 
csn(k) computes to tt in libs. 

(2) Now let us turn to deriving False from dn : N. T(csn(n)). 
This assumption says that there exists a bar of the current library 
in which n computes to a number k and f(csn(k)) is true. To prove 
that we can derive False from this, we simply use a library above 
the bar where csn is filled with ff up to k, which concludes our 
proof. 


C Non-squashed LS1 


In addition to the |-squashed version of LS1 presented in Sec. 6.1, 
we have also validated a non-squashed version of that axiom, namely 
we have validated:”° 


Vn: N. Vf: Bn. Ja : Free(0). f =g, a 


To validate this non-squashed version of LS1 we have to provide 
some computation that generates a choice sequence name a € 
Free(0) given a finite sequence of numbers, provided as a pair of 
a number n € N and a function f € Bn. To achieve that, we added 
the following expressions to BITT: 


t € Term ::= --- | comp-cs-nat(fti], t2) 
| comp-cs-seqy ;([f1], t2) 


where l and i are parameters: l is a list of Coq numbers, and i is a 
Coq number. These new expressions compute as follows: 


comp-cs-nat(0, t) =ne ©”, []) 
comp-cs-nat(i, t) qip comp-cs-seqjj, :(t(0), t) ,if0 <i 
comp-cs-seq;, ;(7, t) np C”, Le] .if i= |] +1 


comp-cs-seqy ;(j, t) typ comp-cs-seq; e pj} i CIIL] +1), 2) . if [Z] +1 < i 


Using these computations, we can then prove that the non-squashed 
version of LS1 is inhabited by An, f.(comp-cs-nat(n, f), x}. The 
proof is similar to the one of the |-squashed version of LS1. 


D Extensional LS2 


As mentioned in Sec. 6.2, both intensional and extensional equality 
over choice sequences are decidable. In addition to the standard 
intensional version of LS2, we have also validated the following 
extensional version of LS2:7° 


*5See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_choice4.v. 
?6See https://github.com/vrahli/NuprllnCoq/tree/beth/rules/rules_choice5.v. 


LICS 18, , Mark Bickford, Liron Cohen, Robert L. Constable, and Vincent Rahli 


Proposition D.1 (Decidability of extensional equality). The fol- 
lowing holds in BITT: 


Va,b : Free(0).a =g b V ~a =g b 
and it is inhabited by the term: 
Aa, b.if a=b then tt else ff 


The proof of this proposition slightly differs from the one for the 
intensional version of LS2. First of all, to prove that the proposition 
is well-formed, i.e., that it is indeed a type, one has to prove that 
Free(0) is a subtype of B, which is true as shown in Prop. 5.1. Next, 
we have to prove that if a and b have the same name (which is 
decidable) then they are extensionally equal, i.e., equal in the 8 
type; and otherwise they are not extensionally equal. Proving that 
if a and b have the same name then they are extensionally equal 
is trivial because a and b are the same sequence. Proving that if a 
and b do not have the same name then they are not extensionally 
equal is slightly more complicated. According to the semantics of 
a, to prove this we essentially have to prove that there exists an 
extension of the current library where a(k) and b(k) compute to 
different numbers, for some number k. More precisely, we first 
assume that there exists an extension of the current library where 
a =g b is true, and we prove a contradiction. Let us call lib’ that 
extension. Then, thanks to monotonicity, we know that a =g b 
must be true in all extensions of lib’. We will create an extension 
lib” of lib’ where a’s kth choice is 0 for some number k, and b’s kth 
choice is 1. One slight difficulty to create a valid extension of lib’ 
is to make sure that k is greater than the length of any sequence in 
the “space” part of the choice sequence names a and b. Otherwise, 
we might not be able to ensure that the kth choices for a and b are 
0 and 1 because choices have to respect the restrictions embedded 
in name spaces. Once we have filled a’s kth slot with 0 and b’s 
kth slot with 1, it is straightforward to prove that a and b are not 
extensionally equal because they compute to different values when 


applied to k. 
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